Sourced from org.springframework.security:spring-security-bom's releases.

7.0.4

⭐ New Features

• Update RestTemplateBuilder usage in opaque-token.adoc #18836

🪲 Bug Fixes

• Fix GrantedAuthority.authority null in AuthoritiesAuthorizationManager #18784
• Add Jackson Mixin for WebAuthnAuthentication #18878
• Add Missing OnCommitedResponseWrapper Header Overrides #18799
• Document the change in dependency coordinates with Spring Security 7 #18773
• Ensure tests clear AuthorizationServerContextHolder #18768
• Fix CookieRequestCache parameters #18864
• Fix Flaky Crypto Tests #18842
• Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs #18897
• HttpMessageConverterAuthenticationSuccessHandler Supports Jackson 3 #18834
• OAuth2DeviceVerificationEndpointFilter should be applied after AuthorizationFilter #18873
• Restore upgradeEncoding condition in DaoAuthenticationProvider #18788
• saveAuthenticationRequest should read relayState from authenticationRequest #18884
• SecurityExpressionRoot#hasAuthority should delegate to AuthorizationManagerFactory#hasAuthority #18487
• ServerHttpSecurityConfiguration should not set userDetailsPasswordService to a null value #18276
• TokenBasedRememberMeServices documentation snippets should compile #18642
• Update request-matcher XML property to support PathPatternRequestMatcher #18737

🔨 Dependency Upgrades

• Bump @antora/collector-extension from 1.0.2 to 1.0.3 in /docs #18853
• Bump actions/upload-artifact from 6.0.0 to 7.0.0 #18810
• Bump ch.qos.logback:logback-classic from 1.5.29 to 1.5.32 #18752
• Bump com.webauthn4j:webauthn4j-core from 0.31.0.RELEASE to 0.31.1.RELEASE #18830
• Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4 #18877
• Bump org-apache-maven-resolver from 1.9.25 to 1.9.26 #18751
• Bump org-apache-maven-resolver from 1.9.26 to 1.9.27 #18792
• Bump org.apache.maven:maven-resolver-provider from 3.9.12 to 3.9.13 #18861
• Bump org.apache.maven:maven-resolver-provider from 3.9.13 to 3.9.14 #18887
• Bump org.junit:junit-bom from 6.0.2 to 6.0.3 #18743
• Bump org.springframework.data:spring-data-bom from 2025.1.3 to 2025.1.4 #18904
• Bump org.springframework:spring-framework-bom from 7.0.4 to 7.0.5 #18764
• Bump org.springframework:spring-framework-bom from 7.0.5 to 7.0.6 #18905
• Update Antora UI Spring to v0.4.26 #18893
• Update to spring-security-release-tools 1.0.15 #18909

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​busoco-sjb, @​making, @​meliezer, @​ngocnhan-tran1996, @​rwinch, @​sephiroth-j, @​therepanic, @​thuri, and @​ziqin

• 9bd793f Release 7.0.4
• a2c0ac1 Update to spring-security-release-tools 1.0.15
• ea6e7ab Merge branch '6.5.x' into 7.0.x
• 01ff3b0 Add Workflow for Deferring Issues
• e8cb0ef Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• 33e6f4b Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs
• 524ae92 Merge Add Jackson Mixin for WebAuthnAuthentication
• 47146f3 Add Jackson Mixin for WebAuthnAuthentication
• e7080e8 Update Antora UI Spring to v0.4.26
• c348a7a Bump io.projectreactor:reactor-bom from 2025.0.3 to 2025.0.4
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)